HDDS-14574. Enforce 700 permissions on Ozone Metadata and Data(hdds) directories

[Gargi-jais11]

What changes were proposed in this pull request?

Current Behaviour:
For Ozone metadata of OM, SCM, DN and Recon and Datanode Directory(/data/hdds) have 750 and 755 permissions respectively.

Proposed Behaviour:
We should bring Ozone up to parity with HDFS, where we have both a parameter that controls the permission, as well as health alerts for lax permissions.
Incorrectly permissioned data directories can lead to a serious data breach as any user (e.g. any Spark application) is able to read the data files.
Make the default permissions for all ozone metadata and data directories as 700 similar to hdfs.

Added new config for data directory permission: hdds.datanode.data.dir.permissions with default value of 700 and changed ozone metadata directory permissions to 700 from 750.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-14574

How was this patch tested?

Added unit tests. Also manually tested for permissions:

// DN
[bash]# ls -la
total 4
drwx------ 8 hdfs hdfs 190 Feb 3 08:28 .
drwxr-xr-x 6 root root 76 Feb 2 04:46 ..
-rw-r--r-- 1 hdfs hdfs  0 Feb 3 08:28 cd
drwx------ 3 hdfs hdfs 65 Feb 3 08:28 data --------------------------> 700 data
-rw-r--r-- 1 hdfs hdfs 408 Feb 3 06:08 datanode.id
drwxr-xr-x 2 hdfs hdfs 10 Feb 2 04:46 db.checkpoints
drwxr-xr-x 3 hdfs hdfs 37 Feb 2 04:46 db.snapshots
drwx------ 5 hdfs hdfs 72 Feb 3 07:17 ozone-metadata. ---------------------> 700 metadata
drwxr-xr-x 3 root root 26 Feb 2 04:46 ratis
drwxr-xr-x 2 hdfs hdfs 333 Feb 3 06:08 witnessed_container.db

// OM
[bash om]# ls -la
total 0
drwxr-xr-x 5 root root 69 Feb 2 04:46 .
drwxr-xr-x 6 root root 76 Feb 2 04:46 ..
drwx------ 6 hdfs hdfs 112 Feb 4 06:03 data 
drwx------ 7 hdfs hdfs 117 Feb 2 06:07 ozone-metadata
drwxr-xr-x 3 hdfs hdfs 58 Feb 2 04:47 ratis

// recon
[bash recon]# ls -la
total 0
drwxr-xr-x 6 root root 81 Feb 2 04:46 .
drwxr-xr-x 6 root root 76 Feb 2 04:46 ..
drwx------ 8 hdfs hdfs 184 Feb 2 04:47 data
drwxr-xr-x 3 root root 18 Feb 2 04:46 om
drwx------ 4 hdfs hdfs 48 Feb 2 04:46 ozone-metadata
drwxr-xr-x 3 root root 26 Feb 2 04:46 scm

//SCM
[bash scm]# ls -la
total 0
drwxr-xr-x 5 root root 69 Feb 2 04:46 .
drwxr-xr-x 6 root root 76 Feb 2 04:46 ..
drwx------ 6 hdfs hdfs 93 Feb 2 04:46 data
drwx------ 6 hdfs hdfs 96 Feb 2 06:07 ozone-metadata
drwxr-xr-x 3 hdfs hdfs 58 Feb 2 04:46 ratis

[Gargi-jais11]

@ChenSammi , @sumitagrawl and @jojochuang Please review the patch.

[sreejasahithi]

Thanks @Gargi-jais11 for working on this, left few comments

[sreejasahithi]

Could we add some test coverage for the permission change of metadata dir as well as for the db.

[sreejasahithi]

This method is called by initializeImpl() for DbVolume (and HddsVolume), but it always uses
HDDS_DATANODE_DATA_DIR_PERMISSIONS. This means DbVolume directories get data directory permissions. is this intentional?

[sreejasahithi]

Suggested change

	LOG.debug("Set permissions {} on directory {}", symbolicPermission, dir);
	LOG.debug("Set permissions {} on directory {} using config key {}",
	symbolicPermission, dir, permissionConfigKey);

[sreejasahithi]

This method does not throw exception as we are logging the warning.